Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

MS Crypto API Vuln - CVE-2020-0601 - Any example logs?

dsctm3
Path Finder
‎01-15-2020 07:35 AM

Hello Splunkers!

TL;DR - Has anyone seen an example log generated by the fix for the 2020-January Critical MS Windows CryptoAPI Vuln? (CVE-2020-0601)

Does anyone know what the exact event event looks like? The technet article: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601/ references the following:

  • Event Log: Windows Logs/Application
  • Event Source: Audit-CVE
  • Event ID 1

Event ID 1 seems to be a common dumping ground, and I've never seen any logs from that SourceName (Assuming that's the field to key on)

I'll (for now) run scheduled searches for the following, but have a feeling the data presents differently.

sourcetype=wineventlog:application SourceName=Audit-CVE

Any ideas/thoughts/suggestions?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rmmiller
Contributor
‎01-15-2020 02:12 PM

One of the handlers at the Internet Storm Center (SANS entity) put together a VBA solution that populates the event log with a replica of these events.

Take a look at https://blog.didierstevens.com/2020/01/15/using-cveeventwrite-from-vba-cve-2020-0601/ for more info.

Hope that helps!
rmmiller

View solution in original post

Reply
Solved! Jump to solution

dsctm3
Path Finder
‎01-15-2020 02:55 PM

This is exactly what I was looking for. Many thanks @rmmiller !

0 Karma
Reply
Solved! Jump to solution

rmmiller
Contributor
‎01-15-2020 03:42 PM

Glad I could help! We're all in this mess together! 🙂

Reply
Solved! Jump to solution
Solution

rmmiller
Contributor
‎01-15-2020 02:12 PM

One of the handlers at the Internet Storm Center (SANS entity) put together a VBA solution that populates the event log with a replica of these events.

Take a look at https://blog.didierstevens.com/2020/01/15/using-cveeventwrite-from-vba-cve-2020-0601/ for more info.

Hope that helps!
rmmiller

Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...